Method Of Handling Safety, Control System And Industrial System

ABSTRACT

A method of handling safety in a working area of an industrial system, wherein at least one machine is arranged to operate in the working area, at least one manually operable safety input device is provided in the working area, and one or more of the at least one machine and the at least one safety input device is movable to different positions in the working area, the method including continuously or repeatedly determining whether one or more of the at least one the machine is in proximity to one or more of the at least one safety input device; and associating at least one machine with the at least one safety input device upon determining that one or more of the at least one machine is in proximity to one or more of the at least one safety input device, such that the at least one associated machine can be brought to a safe state by means of the at least one safety input device.

TECHNICAL FIELD

The present disclosure generally relates to handling of safety inindustrial environments. In particular, a method of handling safety in aworking area of an industrial system, a control system for handlingsafety in a working area of an industrial system, and an industrialsystem comprising such control system, are provided.

BACKGROUND

Working areas of machines in industrial systems are commonly fixed andsafeguarded with fences and associated safety system to ensure a safeenvironment for the operators. The trend in the industry is to increasemobility of machines of industrial systems. One example of suchindustrial system is a factory where some AGVs (automated guidedvehicles) move parts between robots and some AGVs move robots betweenworking stations where the parts are to be machined by the robots. Theincreased mobility of machines (e.g. AGVs and robots) of the industrialsystem in combination with mobility of one or more operators results inhazards which need to be addressed in order to ensure a safe workingenvironment.

US 2017100838 A1 describes methods and apparatus for operating roboticactors in a human/robotic environment. A safety controller that isconfigured to communicate with one or more robotic actors can receiveactor information about at least a location of one or more roboticactors. The safety controller can generate an output including a commandfor controlling operation of a particular robotic actor.

US 2008125908 A1 discloses a method for controlling an industrial robotin an area by means of a portable operator control device comprising anemergency stop button. The robot includes an enabling function whichupon activation enables an enabling device of the portable operatorcontrol device. The enabling function is automatically activated whenthe operator control device enters the area.

SUMMARY

One object of the present disclosure is to provide a method for handlingsafety in a working area of an industrial system, which method providesa safer environment for operators in a dynamic working area with atleast one mobile machine and/or at least one mobile safety input device.

A further object of the present disclosure is to provide a method forhandling safety in a working area of an industrial system, which methodprovides a dynamic handling of safety in a dynamic working area with atleast one mobile machine and/or at least one mobile safety input device.

A still further object of the present disclosure is to provide a methodfor handling safety in a working area of an industrial system, whichmethod provides a simpler, more flexible and/or more reliable handlingof safety in the working area.

A still further object of the present disclosure is to provide a methodfor handling safety in a working area of an industrial system, whichmethod solves several or all of the foregoing objects in combination.

A still further object of the present disclosure is to provide a controlsystem for handling safety in a working area of an industrial system,which control system solves one, several or all of the foregoingobjects.

A still further object of the present disclosure is to provide anindustrial system comprising at least one machine and at least onesafety input device, which industrial system solves one, several or allof the foregoing objects.

According to one aspect, there is provided a method of handling safetyin a working area of an industrial system, wherein a plurality ofmachines are arranged to operate in the working area, at least onemanually operable safety input device is provided in the working area,and one or more of the machines is mobile and movable to differentpositions in the working area, the method comprising continuously orrepeatedly determining whether one or more of the machines is inproximity to one or more of the at least one safety input device; andassociating a plurality of machines with at least one safety inputdevice upon determining that a plurality of the machines are inproximity to one or more of the at least one safety input device, suchthat the plurality of associated machines can be brought to a safe stateby means of the at least one safety input device.

By associating a safety input device with a plurality of machines inproximity to the safety input device in this manner, the safety inputdevice will be capable of bringing different sets of machines to theirrespective safe states, where the set of machines depends on the currentposition layout of the safety input device and the machines in a dynamicworking area. For example, an operator holding a mobile safety inputdevice can walk into proximity of a moving machine such that the mobilesafety input device becomes associated with the moving machine. Theoperator can then walk next to the moving machine and have thepossibility to bring the machine to a safe state at any time.

The machines that are currently associated with a safety input deviceconstitute a span of control of the safety input device. When the safetyinput device and/or the machines move to different positions in theworking area, further machines may be associated with the safety inputdevice and/or associated machines may be dissociated from the safetyinput device, i.e. the span of control of the safety input device maychange. Due to the dynamic spans of control provided by the method,dynamically adaptive protective configurations for operators exposed tothe industrial system can be provided. Each machine associated with asafety input device may be brought to a safe state by a single humanaction on the safety input device, e.g. by pressing a button.

The method according to the present disclosure may be used as acomplement to existing safety methods. In case any of the existingsafety methods fails, or for any other reason, the safety input devicemay be activated to bring the machines associated with the safety inputdevice to a safe state. For example, in case a machine in the form of anAGV does not slow down as intended when approaching an operator, theoperator may activate any of the safety input devices (such as ahand-held safety input device) associated with the AGV in order tomitigate the hazard of the approaching AGV.

Each safety input device of the industrial system may be configured tooverride other control schemes of the machines, such as other safetyfunctions, in order to bring the associated machine to the safe state.Alternatively, each safety input device may be configured to be used asa complement to other control schemes of the machines, such as othersafety functions.

In order to determine whether one or more machines are in proximity toone or more safety input devices, the industrial system may for examplecomprise various types of sensors. Examples of such sensors includescanners, cameras such as FLIR (forward-looking infrared) cameras,radars, proximity sensors, visible light sensors, light barriers,optical sensors, laser sensors, infrared sensors and/or GPS (GlobalPositioning System) sensors. One or more sensors may be provided on oneor more machines and/or on one or more safety input devices. Suchsensors may be referred to as coupled sensors. Alternatively, or inaddition, the industrial system may comprise one or more sensorsseparate from the one or more machines and the one or more safety inputdevices. Such sensors may be referred to as decoupled sensors. In anycase, position data from the sensors may be translated into a commoncoordinate system in order to determine whether one or more machines arein proximity to one or more safety input devices. The sensors may alsobe used to determine the positions of one or more operators in theworking area. In case mobile safety input devices are employed, theposition of the operator may however be approximated with the positionof the safety input device, i.e. it may be supposed that an operatorholds the mobile safety device unless a certain event is triggered (e.g.if a dead man's switch is activated or if a periodic test pulse is notinitiated by a human for a certain time).

The method may for example comprise determining that a machine is inproximity to a safety input device if a distance between the machine andthe safety input device is below a certain distance value. The distancevalue may be static or dynamic. The distance values may be determinedbased on a hazard level of each machine. In case one or more dynamicdistance values are used, the distance values may depend on the type ofsafety input device, the type of machine and/or on the type of operationcarried out by the machine. For example, a larger distance may be setfor stationary safety input devices than for mobile safety inputdevices.

Alternatively, or in addition, a determination whether a machine is inproximity to a safety input device may comprise, or be constituted by, adetermination whether a safety input device is within a hazard zone of amachine. A hazard zone may be defined as a zone in which exposure to themachine is possible and for which an operator needs risk mitigation. Incase movable machines are employed, there will thus be movable hazardzones in the working area. Additionally, a task zone may be definedaround each safety input device. In case there is an overlap between atask zone and a hazard zone, it may be determined that the safety inputdevice is in proximity to the machine and the safety input device mayconsequentially be associated with the machine.

The definition that one or more of the at least one machine and the atleast one safety input device is movable to different positions in theworking area, means that at least one machine and/or at least one safetyinput device is mobile in the working area. Throughout the presentdisclosure, one or more of the at least one machine may be an industrialrobot. Each industrial robot may comprise a manipulator programmable inthree or more axes. Further examples of machines according to thepresent disclosure are AGVs and conveyor belts.

In one example, the industrial system comprises a plurality of machinesand at least one safety input device. In a further example, theindustrial system comprises a plurality of machines and a plurality ofsafety input devices. The working area may for example be an area in afactory.

Various types of safe states of the machines are possible. One exampleof a safe state according to the present disclosure can be achieved bystopping the machine, activating brakes, and removing power to endactuators. An alternative safe state according to the present disclosurecan be achieved by limiting the power to the machine.

The method may further comprise estimating whether one or more of themachines will be in proximity to the at least one safety input devicewithin a time limit; and associating at least one machine, that will bein proximity to the at least one safety input device within the timelimit, with the at least one safety input device, such that the at leastone associated machine can be brought to a safe state by means of the atleast one safety input device. For example, one or more machinesapproaching a safety input device may be associated with the safetyinput device before the machines are in a defined proximity to thesafety input device.

The estimation may be based on a relative speed between the at least onemachine and the at least one safety input device. The method may thusfurther comprise determining a relative speed between at least onemachine and at least one safety input device. The relative speed may bemeasured or estimated.

The method may further comprise determining whether at least one of theassociated machines is no longer in proximity to the at least one safetyinput device; and dissociating the at least one associated machine fromthe at least one safety input device upon determining that at least oneof the associated machines is no longer in proximity to the at least onesafety input device, such that the at least one dissociated machine canno longer be brought to a safe state by means of the at least one safetyinput device.

The method may further comprise determining whether there is anobstructed line of sight between the at least one safety input deviceand one or more of the machines; and dissociating at least oneassociated machine from the at least one safety input device, orrefraining from associating at least one machine with the at least onesafety input device, upon determining that there is an obstructed lineof sight between the at least one safety input device and one or more ofthe machines, such that the at least one dissociated machine cannot bebrought to a safe state by means of the at least one safety inputdevice. In this way, only machines that are in sight of an operator ofthe safety input device will potentially be associated with the safetyinput device. The line of sight between a safety device and a machinemay for example be obstructed by a wall or other fixed installation.

According to one variant, each machine comprises at least one outputfunction for activating a safe state of the machine, the industrialsystem comprises at least one logic device having a logic function, andthe at least one safety input device comprises an input function. Inthis case, the method may further comprise continuously or repeatedlyensuring that each output function belongs to a logic sequencecomprising a logic function and an input function for activating theoutput function by means of the logic function. The method according tothis variant addresses the problem of constructing logic sequences in amobile environment where positions of one or more machines and/or one ormore safety input devices changes over time. The logic device may forexample be a safety PLC (programmable logic controller). The at leastone logic device may be provided in a central control system, in one ormore or the safety input devices and/or in one or more of the machines.

Since one or more of the machines and the at least one safety inputdevice can move in the working area, also the logic sequences becometime dependent. The method ensures that the time dependent logicsequences are fulfilled for identified hazards in a mobile environment.By means of the method, the logic sequences are updated to handle thedynamics in the working area.

The logic sequences may be created in various ways. For example, thelogic sequences may depend on distances between safety input devices andmachines, the static layout of the working area, positions of one ormore operators, and the dynamics of the working area, e.g. directions ofmovement and speed of safety input devices, operators and machines.Which safety input device(s) and which machines to be included inparticular logic sequences may also depend on various risk assessmentsin the working area.

An emergency stop is one example of an input function. There are howeverseveral alternative input functions that may be activated by an operatorto send information to a logic function, and further to an outputfunction with the purpose of bringing the machine to a safe state.

One or more of the at least one safety input device may be movable todifferent positions in the working area. In this case, the method mayfurther comprise continuously or repeatedly determining a position ofthe at least one safety input device in the working area. In someworking areas, it may be difficult for an operator to access astationary safety input device. By means of one or more mobile safetyinput devices according to the present disclosure, the safety in theworking area can be improved.

One or more of the machines is movable to different positions in theworking area. The method may further comprise continuously or repeatedlydetermining a position of the movable machines in the working area.

The method may further comprise providing an indication to an operatorin the working area, the indication indicating which of the machines iscurrently associated with the at least one safety input device. Theindication may for example be a light indication of the same type bothfrom the safety input device and each machine associated with the safetyinput device. For example, a light indication of a particular color maybe issued from the safety input device and from each machine currentlyassociated with the safety input device.

According to a further aspect, there is provided a control system forhandling safety in a working area of an industrial system, wherein aplurality of machines are arranged to operate in the working area, atleast one manually operable safety input device is provided in theworking area, and one or more of the machines is mobile and movable todifferent positions in the working area, the control system comprising adata processing device and a memory having a computer program storedthereon, the computer program comprising program code which, whenexecuted by the data processing device, causes the data processingdevice to perform the steps of determining whether one or more of themachines is in proximity to one or more of the at least one safety inputdevice; and associating a plurality of machines with at least one safetyinput device upon determining that a plurality of the machines are inproximity to one or more of the at least one safety input device, suchthat the plurality of associated machines can be brought to a safe stateby means of the at least one safety input device.

According to a further aspect, there is provided an industrial systemcomprising a working area; a plurality of machines arranged to operatein the working area; at least one safety input device provided in theworking area; and a control system according to the present disclosure;

wherein one or more of the machines is mobile and movable to differentpositions in the working area. The industrial system may be of any typeaccording to the present disclosure.

The industrial system may comprise at least one logic device having alogic function; wherein each machine comprises at least one outputfunction for activating a safe state of the machine; wherein the atleast one safety input device comprises an input function; and whereinthe control system is configured to continuously or repeatedly ensurethat each output function belongs to a logic sequence comprising a logicfunction and an input function for activating the output function bymeans of the input function. The at least one logic device may beprovided in the control system, in one or more of the machines, in oneor more of the safety input devices and/or elsewhere in the industrialsystem.

The at least one safety input device may comprise an emergency stop.Alternatively, or in addition, the industrial system may furthercomprise at least one indication device configured to output anindication on which of the at least one machine is currently associatedwith the at least one safety input device. The at least one indicationdevice may be provided on each safety input device and/or on eachmachine.

BRIEF DESCRIPTION OF THE DRAWINGS

Further details, advantages and aspects of the present disclosure willbecome apparent from the following embodiments taken in conjunction withthe drawings, wherein:

FIG. 1: schematically represents a top view of an industrial system in afirst state; and

FIG. 2: schematically represents a top view of the industrial system inFIG. 1 in a second state.

DETAILED DESCRIPTION

In the following, a method of handling safety in a working area of anindustrial system, a control system for handling safety in a workingarea of an industrial system, and an industrial system comprising acontrol system, will be described. The same reference numerals will beused to denote the same or similar structural features.

FIG. 1 schematically represents a top view of an industrial system 10 ina first state. The industrial system 10 comprises a working area 12, aplurality of machines 14 a-14 l in the working area 12 and a pluralityof safety input devices 16 a-16 c in the working area 12 (each machine14 a-14 l may also be referred to with reference numeral “14” and eachsafety input device 16 a-16 c may also be referred to with referencenumeral “16”). The machines 14 b, 14 c, 14 d, 14 e, 14 f, 14 i, and 14 kare exemplified as industrial robots each having a manipulatorprogrammable in three or more axes. The machines 14 a, 14 g, 14 h, and14 j are exemplified as AGVs. The machine 14 l is exemplified as aconveyor.

The machines 14 a, 14 g, 14 h, 14 i, 14 j, and 14 k are mobile and themachines 14 b, 14 c, 14 d, 14 e, 14 f, and 14 l are stationary. Themachine 14 i is mobile due to being carried by the mobile machine 14 hand the machine 14 k is mobile due to being carried by the mobilemachine 14 j. The machine 14 a moves downwards in FIG. 1 as indicated byarrow 18, the machine 14 g moves upwards in FIG. 1 as indicated by arrow20, the machines 14 h and 14 i move to the left in FIG. 1 as indicatedby arrow 22 and the machines 14 j and 14 k move to the left as indicatedby arrow 24. Since the machines 14 a, 14 g, 14 h, 14 i, 14 j, and 14 kcan move around in the working area 12, the industrial system 10 may besaid to have spatial flexibility. All machines 14, both mobile andstationary, constitute hazards for humans close to the machines 14.

Each machine 14 comprises a safety function in the form of an outputfunction 26 a-26 l (the output functions 26 a-26 l may also be referredto with reference numeral “26”). When the output function 26 of amachine 14 is activated, the machine 14 is brought to a safe state, forexample by turning off the power to motors and engaging brakes. Theoutput function 26 may override existing safety functions of the machine14 or may function as a complement to existing safety functions of themachine 14.

The safety input devices 16 a and 16 b are mobile and carried byoperator 28 a and operator 28 b, respectively (each operator 28 a and 28b may also be referred to with reference numeral “28”). In FIG. 1, theoperator 28 b and the safety input device 16 b move downwards to theright in FIG. 1 as indicated by arrow 30. The safety input device 16 cis stationary.

In this example, the safety input devices 16 a and 16 b are mobileemergency stops arranged in a respective portable teach pendant unit(TPU) and the safety input device 16 c is a stationary emergency stop.Each safety input device 16 a, 16 b, and 16 c provides a safety functionin the form of an input function 32 a, 32 b, and 32 c (the inputfunctions 32 a, 32 b, and 32 c may also be referred to with referencenumeral “32”).

In this example, the input function 32 thus comprises activation of anemergency stop of the respective safety input device 16. However,alternative or additional input functions 32 are possible. For example,the input functions 32 a and 32 b of the movable safety input devices 16a and 16 b may also comprise triggering of a dead man's switch, or awarning signal issued if an operator 16 a and 16 b fails to respond to aperiodic test pulse.

The industrial system 10 further comprises a control system 34. Thecontrol system 34 may control some or more operations of the machines 14and the safety input devices 16. The control system 34 comprises a dataprocessing device 36 and a memory 38. A computer program is stored inthe memory 38. The computer program comprises program code which, whenexecuted by the data processing device 36 causes the data processingdevice 36 to perform, or command performance of, at least some of thesteps as described herein. The control system 34 may be remote from theworking area 12, for example provided in a remote server room. Thecontrol system 34 may communicate wirelessly with the respectivemachines 14 and the respective safety input devices 16.

The industrial system 10 further comprises a plurality of sensors 40a-40 c (the sensors 40 a-40 c may also be referred to with referencenumeral “40”). The sensors 40 a and 40 b are in this example stationarycameras for monitoring the entire working area 12. The working area 12thereby constitutes a supervision zone in which positions of at leastthe movable machines 14 and the movable safety input devices 16 aremonitored. The sensor 40 c is a FLIR camera provided on the movablemachine 14 h. The control system 34 is configured to determine positionsand movement speeds of the machines 14, the operators 28 and the safetyinput devices 16, for example based on images received from the sensors40 a, 40 b, and 40 c. The sensors 40 a, 40 b, and 40 c may thus be insignal communication with the control system 34.

The industrial system 10 in FIG. 1 further comprises a stationary table42 and a plurality of walls 44. The industrial system 10 is arranged tohandle objects 46 by means of the machines 14. In the example in FIG. 1,each of the safety input device 16 b, the machine 14 h, and the machine14 i is illustrated to comprise an indication device 48. Each machine 14and each safety input device 16 of the industrial system 10 may beprovided with such indication device 48. Alternatively, or in addition,the one or more indication devices 48 may be stationary arranged in theworking area 12.

The industrial system 10 is configured to continuously or repeatedlydetermine whether one or more of the machines 14 is in proximity to anyof the safety input devices 16. Whether a machine 14 is in proximity toa safety input device 16 may be determined based on a distance betweenthe machine 14 and the safety input device 16. This distance may howevervary in various ways. For example, a larger distance may be used for thestationary safety input device 16 c and a smaller distance may be usedfor the mobile safety input devices 16 a and 16 b. Thus, in FIG. 1, itmay for example be determined that all machines 14 in the working area12 are in proximity to the safety input device 16 c, that only themachines 14 b, 14 c, 14 d, and 14 l are in proximity to the safety inputdevice 16 a, and that only the machines 14 c, 14 d, and 14 e are inproximity to the safety input device 16 b. Based on these proximitydeterminations, the machines 14 a-14 l are associated with the safetyinput device 16 c such that each machine 14 a-14 l can be brought to asafe state by means of the safety input device 16 c, the machines 14 b,14 c, 14 d, and 14 l are associated with the safety input device 16 asuch that each machine 14 b, 14 c, 14 d, and 14 l can be brought to asafe state by means of the safety input device 16 a, and the machines 14c, 14 d, and 14 e are associated with the safety input device 16 b suchthat each machine 14 c, 14 d, and 14 e can be brought to a safe state bymeans of the safety input device 16 b.

In the example in FIG. 1, the stationary safety input device 16 c isthus associated with movable machines 14 a, 14 g, 14 h, 14 i, 14 j, and14 k in the working area 12 in contrast to many stationary emergencystops according to the prior art. Although the machine 14 a may bedetermined to be in proximity to the safety input device 16 a, there isa wall 44 between the machine 14 a and the safety input device 16 a.Since there is an obstructed line of sight between the safety inputdevice 16 a and the machine 14 a due to the wall 44, the safety inputdevice 16 a may not be associated with the machine 14 a. The positionsof the walls 44 in the working area 12 may for example be determined bythe control system 34 based on image data from the sensors 40 a and 40b.

The industrial system 10 further comprises at least one logic function50. In this example, the industrial system 10 comprises a plurality oflogic functions 50. A logic function 50 may for example be provided inone or more machines 14, such as in a safety PLC thereof, in the controlsystem 34 and/or in a central server.

In FIG. 1, the machines 14 b-14 d comprise respective logic functions 50b-50 d, the machine 14 f comprises a logic function 50 f, the machine 14h comprises a logic function 50 h, the machine 14 j comprises a logicfunction 50 j, the machine 14 l comprises a logic function 50 l and thecontrol system 34 comprises a logic function 50 m (the logic functions50 b-50 d, 50 f, 50 h, 50 j, 50 l and 50 m may also be referred to withreference numeral “50”). The reason that for example each of themachines 14 b-14 d, and 14 f comprises a respective logic function 50b-50 d, and 50 f but the machine 14 e does not, may be that the machines14 b-14 d, and 14 f come from a different supplier than the machine 14e. Thus, the machines 14 b-14 d, and 14 f may be delivered with logicfunctions 50 b-50 d, and 50 f grouped with respective output functions26 b-26 d, and 26 f.

In case the operator 28 a activates the input function 32 a of thesafety input device 16 a, the input command will be sent to all logicfunctions 50 of logic sequences having output functions 26 associatedwith the input function 32 a. In FIG. 1, the input command will be sentto the respective logic functions 50 b-50 d, and 50 l of the machines 14b-14 d, and 14 l and each machine 14 b-14 d, and 14 l will thereby bebrought to a safe state. One example of a logic sequence thus comprisesactivation of the input function 32 a (e.g. when the operator 28 apresses an emergency button on the safety input device 16 a), sendinginformation regarding activation of the input function 32 a to the logicfunctions 50 b-50 d, and 50 l, and activation of the output functions 26b-26 d, and 26 l by the logic functions 50 b-50 d, and 50 l to bring themachines 14 b-14 d, 14 l to their respective safe states.

In case the operator 28 b activates the input function 32 b of thesafety input device 16 b, the input command will be sent to all logicfunctions 50 of logic sequences having output functions 26 associatedwith the input function 32 b. In FIG. 1, the input command will be sentto the respective logic functions 50 c and 50 d of the machines 14 c and14 d and to the logic function 50 m of the control system 34. Since thelogic function 50 c belongs to a logic sequence comprising the outputfunction 26 c, the logic function 50 d belongs to a logic sequencecomprising the output function 26 d, and the logic function 50 m belongsto a logic sequence comprising the output function 26 e, each machine 14c-14 e will thereby be brought to a safe state.

In case an operator 28 activates the input function 32 c of thestationary safety input device 16 c, the input command will be sent toall logic functions 50 of logic sequences having output functions 26associated with the input function 32 c. Thereby, all machines 14 in theworking area 12 will be brought to a safe state.

Since for example the machine 14 a does not comprise any logic function“onboard”, the input function 32 c may be processed by the logicfunction 50 m of the control system 34 and the logic function 50 m mayin turn activate the output function 26 a of the machine 14 a in orderto bring the machine 14 a to a safe state. Thus, not all input commandsneed to be processed in the working area 12.

The control system 34 may regularly diagnose the functionality of thesensors 40 a and 40 b. The sensor 40 c may for example be diagnosed bythe logic function 50 h of the machine 14 h.

The industrial system 10 in FIG. 1 may be said to comprise a pluralityof safety systems. Each safety system may be divided in three safetyfunctions comprising an input function 32, a logic function 50 and anoutput function 26. When an input function 32 is activated, theinformation is transferred to a logic function 50. The logic function 50will then transfer information to one or more output functions 26. As aresult, the identified hazard is to decease. Thus, a logic sequence ofan input function 32, a logic function 50 and an output function 26 willbring the machine 14 to a safe state. The number and location of thelogic functions 50 may vary as long as each output function 26 belongsto a logic sequence comprising a logic function 50 and an input function32 for activating the output function 26 by means of the logic function50. One challenge with a working area 12 of the type FIG. 1, whichconstitutes a mobile environment, is to construct appropriate logicsequences when one or more positions of the input functions 32 and/orone or more positions of the output functions 26 change over time.

The three safety functions (the input function 32, the logic function 50and the output function 26) to form a minimum safety system can begrouped together or be standalone. For example, an input function 32 canbe grouped with a logic function 50 and/or an output function 26, thelogic function 50 can be grouped with the output function 26, and/or theinput function 32, the logic function 50 and the output function 26 canbe grouped. The relationships between the input functions 32, the logicfunctions 50 and the output functions 26 may need to be considered inorder to provide a safe working area 12. Within the working area 12 ofthe industrial system 10, where no fences or similar restrictions areprovided for the machines 14, and where operators 28 and the machines 14are mobile relative to each other, it may not be feasible to have staticlogic sequences comprising an input function 32, a logic function 50 andan output function 26.

There are often many instances of the minimum safety system for one ormore machines 14. Thus, for an industrial system 10 comprising aplurality of machines 14, there may be a large number of minimum safetysystems to be handled. For example, the input function 32 a and theoutput function 26 a may belong to different logic sequences. The inputfunction 32 a may belong to logic sequences comprising the logicfunctions 50 b-50 d, and 50 l and the output functions 26 b-26 d, and 26l. The output function 26 a of the machine 14 a may belong to a logicsequence comprising the input function 32 c of the safety input device16 c and the logic function 50 m of the control system 34. The logicsequences are continuously or repeatedly updated to include or excludevarious safety input devices 16 and machines 14 in order to handle thedynamics of the industrial system 10.

As the operator 28 b moves in the direction of arrow 30 and the machines14 h and 14 i move in the direction of arrow 22, the distance betweenthe operator 28 b and the machines 14 h and 14 i will reduce and theoperator 28 b will eventually be in a determined proximity to themachines 14 h and 14 i. The machines 14 h and 14 i may be evaluated as apotential hazard for the operator 28 b, for example by means of a riskanalysis carried out in the control system 34. The mitigation of theidentified hazard is to bring the moving machines 14 h and 14 i to asafe state, for example a full stop of the moving machines 14 h and 14i.

In FIG. 1, it may be determined that the safety input device 16 b willbe in proximity to the machines 14 h and 14 i within a certain timelimit and the safety input device 16 b may optionally be associated withthe machines 14 h and 14 i before being in proximity to the machines 14h and 14 i. A similar “early association”, i.e. before the safety inputdevice 16 b is in proximity to the machines 14 h and 14 i, may be madebased on a relative speed between the safety input device 16 b and themachines 14 h and 14 i.

FIG. 2 schematically represents a top view of the industrial system 10in FIG. 1 when adopting a second state, a certain time limit afteradopting the first state in FIG. 1. In FIG. 2, the operator 28 b hasmoved out from the hazard zones of the machines 14 c-14 e. Since theoperator 28 b is no longer in proximity to the machines 14 c-14 e, thesafety input device 16 b is dissociated from the machines 14 c-14 e.However, the operator 28 b is now in proximity to the machines 14 h and14 i and the safety input device 16 b is now associated with themachines 14 h and 14 i. Thus, based on the relative positions of thesafety input device 16 b and the machines 14, different sets of machines14 can be brought to their respective safe state by means of the safetyinput device 16 b. That is, the spans of control of the safety inputdevices 16 are varied dynamically in the working area 12.

Furthermore, in the state of the industrial system 10 in FIG. 2, themachines 14 j and 14 k have left the working area 12. The machines 14 jand 14 k may therefore be dissociated from the safety input device 16 cand instead be associated with one or more safety input devices in aneighboring working area (not shown).

In FIG. 2, the input function 32 b of the safety input device 16 b isdisconnected from the logic sequences comprising the logic functions 50c, 50 d, and 50 m and the output functions 26 c-26 e, and is nowconnected to the logic sequence comprising the logic function 50 h andthe output functions 26 h and 26 i. The output functions 26 c-26 e stillbelong to at least one logic sequence. That is, the output functions 26c-26 e belong to the logic sequences comprising the input function 32 cand the output functions 26 c and 26 d belong to the logic sequencescomprising the input function 32 a.

When the safety input device 16 b becomes associated with the machines14 h and 14 i, each indication device 48 of the safety input device 16 band the machines 14 h and 14 i issues an indication 52. In FIG. 2, theindications 52 are exemplified as blinking lights of the same color, forexample a non-red color. The operator 28 b can thereby clearly see thatthe two machines 14 h and 14 i are currently associated with the safetyinput device 16 b and will thereby know that each machine 14 h and 14 ican be brought to a safe state by activating the safety input device 16b.

The operator 28 b holding the mobile safety input device 16 b can thuswalk into proximity of the moving machines 14 h and 14 i such that themobile safety input device 16 b becomes associated with the movingmachines 14 h and 14 i. The operator 28 b can then walk next to themoving machines 14 h and 14 i and have the possibility to bring themachines 14 h and 14 i to a safe state at any time. When the operator 28b (holding the safety input device 16 b) walks away from the movingmachines 14 h and 14 i, the safety input device 16 b is dissociated fromthe machines 14 h and 14 i.

While the present disclosure has been described with reference toexemplary embodiments, it will be appreciated that the present inventionis not limited to what has been described above. For example, it will beappreciated that the dimensions of the parts may be varied as needed.

1. A method of handling safety in a working area of an industrialsystem, wherein a plurality of machines are arranged to operate in theworking area, at least one manually operable safety input device isprovided in the working area, and one or more of the machines is mobileand movable to different positions in the working area, the methodcomprising: continuously or repeatedly determining whether one or moreof the machines is in proximity to one or more of the at least onesafety input device; and associating a plurality of machines with atleast one safety input device upon determining that a plurality of themachines are in proximity to one or more of the at least one safetyinput device, such that the plurality of associated machines can bebrought to a safe state by means of the at least one safety inputdevice.
 2. The method according to claim 1, further comprising:estimating whether one or more of the machines will be in proximity tothe at least one safety input device within a time limit; andassociating at least one machine, that will be in proximity to the atleast one safety input device within the time limit, with the at leastone safety input device, such that the at least one associated machinecan be brought to a safe state by means of the at least one safety inputdevice.
 3. The method according to claim 2, wherein the estimation isbased on a relative speed between the at least one machine and the atleast one safety input device.
 4. The method according to claim 1,further comprising: determining whether at least one of the associatedmachines is no longer in proximity to the at least one safety inputdevice; and dissociating the at least one associated machine from the atleast one safety input device upon determining that at least one of theassociated machines is no longer in proximity to the at least one safetyinput device, such that the at least one dissociated machine can nolonger be brought to a safe state by means of the at least one safetyinput device.
 5. The method according to claim 1, further comprising:determining whether there is an obstructed line of sight between the atleast one safety input device and one or more of the machines; anddissociating at least one associated machine from the at least onesafety input device, or refraining from associating at least one machinewith the at least one safety input device, upon determining that thereis an obstructed line of sight between the at least one safety inputdevice and one or more of the machines, such that the at least onedissociated machine cannot be brought to a safe state by means of the atleast one safety input device.
 6. The method according to claim 1,wherein each machine comprises at least one output function foractivating a safe state of the machine, the industrial system includesat least one logic device having a logic function, and the at least onesafety input device includes an input function; and wherein the methodfurther comprises: continuously or repeatedly ensuring that each outputfunction belongs to a logic sequence including a logic function and aninput function for activating the output function by means of the logicfunction.
 7. The method according to claim 1, wherein one or more of theat least one safety input device is movable to different positions inthe working area.
 8. The method according to claim 1, further comprisingproviding an indication to an operator in the working area, theindication indicating which of the machines is currently associated withthe at least one safety input device.
 9. A control system for handlingsafety in a working area of an industrial system, wherein a plurality ofmachines are arranged to operate in the working area, at least onemanually operable safety input device is provided in the working area,and one or more of the machines is mobile and movable to differentpositions in the working area, the control system comprising a dataprocessing device and a memory having a computer program stored thereon,the computer program including program code which, when executed by thedata processing device, causes the data processing device to perform thesteps of: determining whether one or more of the machines is inproximity to one or more of the at least one safety input device;wherein the computer program comprises program code which, when executedby the data processing device, causes the data processing device toperform the step of: associating a plurality of machines with at leastone safety input device upon determining that a plurality of themachines are in proximity to one or more of the at least one safetyinput device, such that the plurality of associated machines can bebrought to a safe state by means of the at least one safety inputdevice.
 10. An industrial system comprising: a working area; a pluralityof machines arranged to operate in the working area; at least one safetyinput device provided in the working area; and a control systemaccording to claim 9; wherein one or more of the machines is mobile andmovable to different positions in the working area.
 11. The industrialsystem according to claim 10, further comprising at least one logicdevice having a logic function; wherein each machine comprises at leastone output function for activating a safe state of the machine; whereinthe at least one safety input device includes an input function; andwherein the control system is configured to continuously or repeatedlyensure that each output function belongs to a logic sequence including alogic function and an input function for activating the output functionby means of the input function.
 12. The industrial system according toclaim 10, wherein the at least one safety input device comprises anemergency stop.
 13. The industrial system according to claim 10, furthercomprising at least one indication device configured to output anindication on which of the at least one machine is currently associatedwith the at least one safety input device.
 14. The industrial systemaccording to claim 13, wherein the at least one indication device isprovided on each safety input device and/or on each machine.
 15. Themethod according to claim 2, further comprising: determining whether atleast one of the associated machines is no longer in proximity to the atleast one safety input device; and dissociating the at least oneassociated machine from the at least one safety input device upondetermining that at least one of the associated machines is no longer inproximity to the at least one safety input device, such that the atleast one dissociated machine can no longer be brought to a safe stateby means of the at least one safety input device.
 16. The methodaccording to claim 2, further comprising: determining whether there isan obstructed line of sight between the at least one safety input deviceand one or more of the machines; and dissociating at least oneassociated machine from the at least one safety input device, orrefraining from associating at least one machine with the at least onesafety input device, upon determining that there is an obstructed lineof sight between the at least one safety input device and one or more ofthe machines, such that the at least one dissociated machine cannot bebrought to a safe state by means of the at least one safety inputdevice.
 17. The method according to claim 2, wherein each machinecomprises at least one output function for activating a safe state ofthe machine, the industrial system includes at least one logic devicehaving a logic function, and the at least one safety input deviceincludes an input function; and wherein the method further comprises:continuously or repeatedly ensuring that each output function belongs toa logic sequence including a logic function and an input function foractivating the output function by means of the logic function.